LastPass: Notice of Security Incident
blog.lastpass.comNot enough data to say what the impact of this is. Good for them disclosing it early while they investigate.
> we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
One way to prevent risk to your passwords in the event of a security breach is to not store them in the cloud at all. KeePass is great!
Most people use a work machine and a mobile device, so cloud syncing is absolutely necessary.
LastPass and its competitors theoretically have zero-knowledge storage of everyone's passwords, so even a full breach of their servers would fail to leak passwords.
> Most people use a work machine and a mobile device, so cloud syncing is absolutely necessary.
I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.
My personal passwords are stored on my own personal devices. Syncing between them can be done using any number of methods without uploading to the cloud, but even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere, so there's no need to limit myself to one company's servers. I can use whatever works best for my needs and won't have to worry about what I'd do if the one I was using goes under or becomes unavailable. In exchange for a little extra work you gain a ton of utility and resiliency
Yeah, again: all of this is great for you, but it doesn't change the fact that you are a very, very niche case. You can't just dismiss cloud syncing of passwords because you are the edge case who doesn't need it.
> I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.
That doesn't work for mobile devices. Most people have a work mobile device.
> even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere
This is literally how LastPass and 1Password handle it. If you lose your key, the file in the cloud becomes useless.
> In exchange for a little extra work...
"A little extra work" that is beyond the skills of the vast majority of users.
> ...you gain a ton of utility and resiliency
As someone who used KeePass for more than 10 years until recently, I can honestly say that it was a massive reduction of utility and had no resiliency benefits.
You've picked a strange subset of 'most' for the people you're imagining. They are savy enough to know what a password manager is, but not savy enough to deal with an offline one. Are you sure its not just a few people like you?
> They are savy enough to know what a password manager is, but not savy enough to deal with an offline one.
Not the person you responded to, but: I think that most people are savvy enough to know what a password manager is, and most people are not savvy enough to be interested in the work necessary to setup, personalize, and maintaining an offline password manager that functions well across multiple devices. That doesn't sound like a niche subset to me, but I could be way off.
My point is to illustrate that the commenter is speaking out of their respective ass. None of us know what the average person thinks, we are a group of tremendous nerds who are engaging, not just reading, in the comments section to a post about a flipping password manager.
I'm speaking out of personal experience trying to get non-average users (my friends and family, some of whom work in non-technical roles at software companies) to understand and use password managers.
Most of them can't and won't invest the time just to switch to 1Password. The average person isn't going to exceed that bar by a margin that even I, a software developer, wouldn't bother with.
When something is too technical for even an average developer to bother with (because it's unnecessary, not because it's hard), it is totally hopeless for the average user.
it took a LOOOONG time to get my wife into using a password manager, specifically 1Pass. I'm super comfortable with an offline password manager, but there is not a chance in hell that I'd subject her to that
for a large amount of people, tech and non-tech alike, LastPass and 1Pass are really really good.
Paragraph one is good. In paragraph two, you're doing it again. :D
It's easy, unless you have actual data, what you have is an opinion.
Many of us in this forum are people that have tried to influence those around us - family, friends, coworkers - to use better security practices such as password managers. Those personal experiences alongside the prevalence and adoption of cloud-sync enabled password managers (including browsers) creates a reasonable foundation from which to form a not-fully-ignorant opinion.
Yes, like me, and I've had success with getting people to use keepass. Should I extrapolate my personal anecdote to apply to everyone?
You have had success getting non-technically oriented friends and family to use a Keepass across multiple devices? Then you're doing far better than me.
I don't think your experience is representative. As I stated in my previous comment, I think the relative success of cloud-enabled password managers vs. more secure options like Keepass are a non-anecdotal form of support for this opinion. But I would be way off (which I also acknowledge).
Could be that those companies use marketing? Keepass doesn't market. Hard to say without any facts. :D
I’ve sold some friends and family on password managers, and the cloud syncing has been a key part of getting them to accept it. The alternative is often shortish passwords shared between systems.
I'm savvy enough to maintain an offline password manager, but fuck that noise.
It's already painful enough to use a cloud password manager; why would I burn hours more of time to maintain a worse experience?
How about cloud storage? iCloud, OneDrive, Google Drive, etc. Good apps support those out of box; for desktop install their client and use the file as you normally would.
Have you literally not used the password save feature in iOS? What about this password manager makes you think the people using it can duplicate the features using an offline version?
Copying files has the disadvantage of requiring some merge mechanism, or not permitting parallel modification.
I found vaultwarden to be a nice alternative. It runs on my server at home, to which I connect the relevant devices by VPN. It still requires the server to be online for modification (& the VPN connected), which I find to be a bit annoying, but it solves the concurrent modification issue. Plus, passwords are encrypted at rest and the browser extension verifies I'm using the password on a legitimate website (anti-phishing).
But if you're happy with your variant, I guess that's fine as well :)
> even a full breach of their servers would fail to leak passwords
This is a dangerous fallacy. Nothing fundamentally would prevent someone who attacked their infrastructure from pushing a malicious app update or a malicious extension update which exfiltrated the decrypted library from the client side.
I wasn't specific about that. I should have said a full dump of their database.
Yes, if someone got into their supply chain, they could push a malicious update. That's also true of KeePass and every other password manager. There's no way to avoid that vector.
Are there any instances of this happening? I feel like it would be caught so fast it's not worth trying
> As customers downloaded the update, they unwittingly pulled down and installed the backdoor at the same time. The malicious code was itself cleverly designed, would execute commands, and provided remote admin access. The hackers then used that foothold to create and cryptographically sign the necessary security tokens to hoodwink systems into believing subsequent access to other accounts and resources was legitimate.
Wow that is worrying how long it took to catch....seems like companies need to be monitoring their releases more carefully
You can sync the encrypted KeePass database using Dropbox and then your zero-knowledge cloud storage won't just be theoretical.
Simply secure the database with a password and keyfile then copy the key file manually to your mobile devices and workstation.
That way you can be certain that your cloud provider has zero knowledge of your key file and also doesn't control the application in which you enter the master password.
While this is true, and I did this for the better part of 2010s, it was pretty clunky. Especially if one needs a platform for their wife or children to also use.
I'm gonna ride out LastPass until webauthn really takes off. Which could be soon based on what we're hearing from the mobile vendors.
> Which could be soon based on what we're hearing from the mobile vendors.
I'd really like to see wider webauthn support, so I'm curious to know what you mean by what you're hearing from the mobile vendors please?
Yeah I'm definitely not saying this is the right solution for everyone, but for my personal password database I'm willing to sacrifice a bit of polish to make sure the zero-knowledge claim is iron clad.
You don't even need Dropbox, for a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.
I've had multiple failures to merge (including corrupted databases) with keepass. I'm still using it but I'm considering moving to {bit,vault}warden
I sync my keepass using signal's 'note to self' feature.
A breach in the software distribution and signing servers would be quite disastrous.
That "theoretically" is carrying significantly more water in this example than is smart to assume.
hack code, roll out app updates... you see where this is going?
Or just use the tools already on your computer.
www.passwordstore.org and stand up your own bare git repo.
Pass with Yubikey is great! It’s amazing how much this simple shell script can conveniently do.
You can literary audit this password manager in 30 mins! Thus, I feel it’s more secure than a complex solution like LastPass, since the code is small and a Yubikey touch gives you a chance at one password (with other password managers the whole vault is unlocked and all passwords are at risk and may be extracted at once).
Pass has advantages over other password managers (even though it has some limitations too).
Creator of pass is the creator of Wireguard, which is awesome for similar reasons.
Guy's a legend.
I loved keepass but I wanted to manage my passwords in the cli. Found out that pass exists, switched to it, and have been using it ever since.
I have my pass repo somewhere on the internet and the android/ios clients have been adequate for me.
>One way to prevent risk to your passwords in the event of a security breach is to not store them in the cloud at all.
If your passwords are encrypted you can put that file on a Times Square billboard and it doesn't matter. That is the entire point of encryption, moving sensitive data across adversarial channels. If you don't trust the encryption of the software you're using, well that's a good indication to not use it at all. But if you do there's literally zero point to not use a cloud provider.
A wise sysadmin said in the days of my youth: "The only perfect firewall is a pair of scissors" :)
and a soldering iron https://www.bleepingcomputer.com/news/security/data-exfiltra...
I was going to add "and Faraday Cage" until I got to
For the current experiment, researchers argue that malware that managed to infect an air-gapped [offline] computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds.
Which still require infecting offline computer somehow (and connected machine in close proximity as well).
Point taken though, nothing is perfect. And if everything else fails, there's always social engineering :)
I have 5 laptops, 6 mobile devices and a desktop machine that I am constantly moving between. All of them are ios or macos. I have been using lastpass since it is so simple and works flawlessly. Will keepass work as simply for my use case?
Early? It happened two weeks ago. That doesn't fit my definition of early.
by disclosing it early you mean two weeks later
Lesspass generates reproducible unique passwords from inputs (username, domain, masterpassword). It works without an internet connection and is open source. You only need their cloud storage if you want to backup metadata about the password requirements for specific sites (i.e, no special chars allowed by foo.com, bar.com requires a capital letter and a number, etc.) This metadata can also be stored locally. The command line utility is great, they also offer Mozilla / chrome extensions and mobile apps. I bash alias the command line command to copy the password into clipboard so when I navigate to a site on my laptop, I run genp chase or genp amazon and quickly have the pw ready to go in my clipboard. The apps / extensions and even the cli uses emojis as a visual cue to let you know you typed in the correct masterpassword (since it's masked)
The last time I looked at Lesspass, its implementation was worryingly incompetent[1][2]. Just use your browser’s password manager; it’s less phishable than a manual `genp site` and your passwords don’t pass through your clipboard.
EDIT: I revisited the code. Looks like everything in [1] is fixed, nothing in [2] is fixed, there are now JWTs for some reason, and… they removed metadata encryption??[3][4] Or it was never in in the first place and simple-crypto-js was used for something else? Either way, it’s a current and major flaw.
[1] https://news.ycombinator.com/item?id=22587940
[2] https://news.ycombinator.com/item?id=22582570
[3] https://github.com/lesspass/lesspass/issues/185
[4] https://github.com/lesspass/lesspass/blob/314fc7386f2c29750c...
How does it solve the problem with the site is compromised and you are forced to change the password?
The inputs are domain + username + counter. So you just increment the counter.
How does it solve the problem when bank1 requires [a-zA-Z0-9] characters (no special) and bank2 requires [a-zA-Z0-9!@#$%^&*()] characters (special required)?
You can set it up for that, as well. Of course, it means that you'll also have to back up the config, but it's just a JSON file. They do have a cloud service to sync that, too.
I recommend checking out their main page - it's got plenty of screenshots that showcase all the important features:
so simple even my grandma can do it! ;)
in all seriousness, Lesspass has a cool concept (I hadn't heard of them before, just looked at their website now). I'd be interested in hearing what cryptography/security experts think about it.
Yep I bet she could - don't let the way I described my use of it as a 'poweruser' (via the cli) scare you off...the browser extensions are very user friendly, just ctrl-shift-L and fill out a few inputs
I wonder if this was nation-state backed hackers or just some rando.
I'm guessing nation-state because it seems they stole some source code/R&D. I'd guess China. That's their entire MO. Further the Chinese economy by any means necessary. Why waste years and millions on R&D when you can just steal it?
https://www.cbsnews.com/news/chinese-hackers-took-trillions-...
IP theft might also be a distraction for an attempt (perhaps unsuccessful, perhaps undetected as of yet) to gain a foothold in the development environment for introduction of future changes to the client code.
For something like a password manager using client side crypto, compromising the software supply chain of the client is an interesting proposition for an attacker.
Allegedly France is also big on industrial espionage, but this doesn’t get as much press since they’re a key NATO ally:
https://www.france24.com/en/20110104-france-industrial-espio...
On Lex Friedman’s podcast with former CIA spy Andrew Bustamante, Andrew stated that the French spy agency is the top in the world with this type espionage.
He said they put all their resources into industrial espionage and it’s pretty much their only focus.
Israel also very blatantly does it.
The US does it also. Can't remember the exact number but contracts above 150 million can occasionally be "helped along" by national level assets.
That's where I heard of it too. Apparently this view is shared by others in government as well, as revealed in the Wikileaks diplomatic cable dump.
"engaged a leading cybersecurity and forensics firm."
This is the current trend each time there is a breach: let's pretend/show that we are serious and waste money taking "security" consultants, that will in the end probably tell us obvious things.
Pay more or listen to your own employees instead and eventually go hire competent engineers instead of funding bullshit jobs.
Lastpass is supposed to be in the "cyber security" field, so it is a little bit ridiculous to say that you need external help on this subject...
Security incident response is a very specialized role that the vast majority of not only ordinary tech companies but also security tech companies can't necessarily be expected to do entirely on their own in the event of suspicion of a serious breach.
This isn't hiring an auditor or consultant to recommend better security practices but more like a team of world-class detectives, investigators, and forensicists to figure out exactly what happened and how, what they might have done or taken, if they still have or could regain access, and, potentially, ideas as to who or what the culprits may be and what their objectives were. In particular, you want to have as much confidence as possible in what they may have done when they had access to your systems and that they have been effectively shut out and don't have any other access points/backdoors.
LastPass undoubtedly also has their own security incident response team - most companies probably should - but it's like the local county PD calling in the FBI when a serious or sophisticated crime occurs.
Accidents can and will happen. If Lastpass conducted the review it wouldn't be seen as impartial, they need a third party to remain transparent.
Suppose that LastPass is compromised. What can an attacker do? Passwords are encrypted, with keys on users’ side.
Short of serving customers malicious JS code or an app to steal passwords, the production environment referred in the article can be made totally public, without secrets in vaults bring revealed, no?
I suppose you could phish people into leaking the master password
Or inject malicious code into the apps/extensions to get users to submit their master passwords
Maybe sneak in an altered copy of the LastPass app by offering it as a security update by email.
I wonder if this is a “precursor” attack to the likes of a solar-winds style compromise?
Get into their dev env (ideally unnoticed), exfiltrate the sensitive code you need, poke around their systems. Once you’ve got a handle on their code and have figured out what to add, do so and just begin the waiting game.
Maybe that’s all happened, and this attack is “air cover” for the last-stage.
https://blog.lastpass.com/2022/08/notice-of-recent-security-...
Not good! All a password manager sells is trust. Without that they don't offer anything of value.
I liked how I was reading in the middle of the paragraph a "subscribe to our newsletter" popped up. It threw me off my rhythm. Clever.
The best implementation of this delightful UX pattern should shock the reader, make the hair on their back stand up, perhaps jump a little in their seat, and completely forget what they were reading - then immediately close the browser tab with adrenaline and anger.
If you're looking to move off of LastPass, and your company has a 1Password Business subscription, then you can get a free Family Account.
All your data is kept separate from the company, and if you depart you just need to add a credit card.
Hmm, even though LastPass doesn’t have access to your pass, couldn’t a malicious software update cause attacker to view your passwords when it runs since the software ultimately has access?
This doesn’t seem to be the case in this incident though.
Yes, absolutely - a compromised development environment might be the first step towards getting implanted code into shipping software, or getting to a signing environment (hopefully highly isolated, but you never know!), with a view to carrying out a supply chain attack.
That's basically what happened in the solarwinds compromise.
Yes it's possible that attackers could release a malicious client-side update but it would be immediately noticed and an alarm would be raised. Also I believe lastpass's client-side apps are open source, making it even more obvious when something is changed
I think you are referring to a malicious client software update. It doesn't even have to be that, since a common way to use LP is just over the web.
The software has access, but only using your master password which is also encrypted much like the passwords you have within the app.
So unlikely.
I'm so glad we switched from LastPass to Bitwarden earlier this year. It seems like every few years there's some kind of breach with LastPass.
What advantages does Bitwarden have in terms of security? I’m on LastPass and curious if and why I should switch.
All of the applications (Desktop, Mobile, CLI) and the API itself are completely open source: https://github.com/bitwarden
LastPass is a larger target for attacks, which is why there's some kind of breach or security issue with it every few years. It's too often. I already lost trust in them years ago, but was too lazy to switch until this year. BitWarden hasn't had the same issues yet. Plus BW is open source and critical bugs can't be hidden. There's also the option to self-host your data if you want.
BitWarden's UX is a little different, and in some ways inferior to LastPass. Sharing passwords with my wife feels convoluted in BW, but it works perfectly fine. You have to create an "organization" where both users join, and then add your sites/pws to. In LastPass you just share it. But I've also found BitWarden works better, especially on mobile. LastPass would fail filling in passwords on some sites, and I'd have to use different autofill methods to get it to fill. But BitWarden doesn't have the same issue and mostly just works. I also like BitWarden's built-in 2FA field for each site's password, which eliminates having to use other authenticator apps. Except you'll still want to use a 2FA app for BitWarden's master password.
Incident impact and response seems adequate to me. Obviously I’d prefer no incidents, but this with the right layers of security in place to prevent out from impacting users and transparent reporting are the next best thing.
Not really a big worry, thanks to zero knowledge encryption. Glad it was disclosed. Probably not a fun time over there right now lol
This is definitely a better example of handling a breach, many others would disclose this years later (if at all) since nothing material has happened or is known to have happened.
We're looking at you Twitter / GitHub
I like the way then handle the communication about the incident. There 2 ways to interpret the message: 1. Someone managed to get access to dev credentials and exfiltrated source code (the part that is explicitly mentioned). 2. Someone managed to push code on behalf of the compromised account and they responded to this change (not mentioned, but otherwise how would they know the account was compromised - each SCM has its logging limitations).
For all of its warts, at least crypto has managed to come up with a clever little motto that correctly states the issue, in the form of "not your keys, not your crypto."
Putting your passwords in the hands of a third party drastically increases your threat surface and no amount of hand-wavy "but it's not as convenient" will change this fact.
Now, it may be true that the convenience factor is very strong right now, but the solution will never be "let's keep hoping real hard that the third parties are good at this." Not unless any of the third parties are willing to take on indemnification or liability.
The proper thing to do is to figure out how we can best empower people on their own. I know it's difficult, but that doesn't fundamentally cut into the fact that "this is what SHOULD be done."
Not sure I follow. As stated in the article LastPass does not have the "key" (Master Password) in this case, so a straightforward reading of your comment suggests there's nothing to be worried about here. However I think what you're saying is that even trusting encrypted bundles of secrets to third parties is a bad idea?
Even on this point I have to disagree because that's precisely what 2FA is for. Even if LastPass (or Bitwarden in my case) stole my vault's password and posted my credentials on pastebin, no one could log into any of my 2FA protected accounts. (Ironically this account on HN is one of the few that doesn't support 2FA. Oh no my internet points!)
"not your keys, not your coins" may apply in the cutthroat 2FA-less decentralized world of cryptocurrencies, but most of the rest of the world has much more nuanced threat models.
I thought the 2FA all the big services have is so that they will deliver you your encrypted vault, rather than another layer of encryption? (I know FIDO can theoretically do that, but AFAIK it really wasn't designed for it).
The threat isn't the service having the encrypted vault anyway; we kind of trust the encryption to be decent (though of course you can't know what technological threats are looming).
The real threat is that you're putting your password for decryption into a proprietary blob with an internet connection and auto-updates enabled. It might be sending your password random places now or maybe at some later point.
Note that even a source-available password manager doesn't really solve this issue if it's not self compiled - and most of the time you'd probably want automatic security updates enabled on something security critical. But they can put anything they want to or are pressured into putting in there.
> I thought the 2FA all the big services have is so that they will deliver you your encrypted vault, rather than another layer of encryption?
Correct, 2FA is protection in addition to your password manager. So if someone gets your unsealed vault they cannot log into any services without also compromising your second factor. 2FA is not for further cryptographic hardening of the vault itself.
> The real threat is that you're putting your password for decryption into a proprietary blob with an internet connection and auto-updates enabled. It might be sending your password random places now or maybe at some later point.
If you use Chrome and Safari your passwords are going through a proprietary blob with an internet connection and auto-updates enabled. If you use extensions for your browser they likely can steal all of your passwords.
Nothing can protect you if you don't trust any of the code you're putting your secrets into, although 2FA with some USB devices cover a mind boggling range of threats. A keylogger and screen capture combined wouldn't be sufficient to bypass them.
> Note that even a source-available password manager doesn't really solve this issue if it's not self compiled
Are you compiling your browser from source after verifying every line of code it contains? If so what makes you think you can trust your compiler?
You have to trust something. Choose your threat model. Choose your risks. Live your life.
Actually -- a "web of trust" idea for the browsers is quite sufficient.
Google et al... have already proven that they are at least decent at security and that they care about things owing to their success in the market. They've proven that they've handled this reasonably well and following their lead on how to do security in software is probably pretty good. They have both experience and skin in the game, lots of it, in the form of lots of money et al.
NOW, these password companies? NOPE. They simply don't have the right incentives in place to be trustable. (or more specifically, that they're going to be much better at securing my stuff than I will) They're too young and don't have sufficient "punishment" at the ready for me to be able to trust them much. They don't do indemnification, and liability for them isn't going to be great. I can't presume the same level of skill or care because the infrastructure/incentives aren't as presumably solid.
(Put differently, the Lifelock guy was a hero, he was at least willing to put something real on the line.)
Yes, 2FA/MFA is almost always just an access control measure over who can retrieve the (in this case encrypted) data from the server.
TOTP is based on a shared secret that client and server both know (so inherently a compromised server can just skip it). For webauthn and similar, the token will sign a specific challenge, incorporating the site name and a counter value etc. The server stores the public key, but the check can be disabled.
The real risk is the auto updating client and the integrity and supply chain of the code it runs - unless you actually audit the client code, there's limited value in compiling it yourself. If the attacker can ship you a compromised signed binary, assuming the company is competent in their setup, they've compromised a development environment, code review environment, code signing environment, perhaps a CI/CD and testing environment, and then the release distribution environment. To get you to compile and install their dodgy source only requires a compromise of their development environment, as very few organisations will slow down their routine development cycle enough to add significant barriers to this one layer being compromised (as it has to be done for every commit checked in, every dependency changed, etc.)
> Ironically this account on HN is one of the few that doesn't support 2FA. Oh no my internet points!)
Is the source for the live site public? 2FA could be added in an afternoon.
What does empowering people on their own even mean in this context? I thought password managers were how you empower people, in view of the constraints of:
- passwords need to be strong, and that is inconsistent with being memorable
- passwords shouldn't be repeated
- people use multiple devices
What is the user empowering solution to those three constraints other than password managers that store in the cloud, or flat-out ending passwords in favor of biometrics or something?
Again, there is no "cloud," there is only "other peoples computers." It's time to start taking seriously ideas like "home servers."
Well it's a good thing LastPass doesn't require you to put your passwords in the hands of a third party! Just the locally encrypted passwords. This is vastly different than, say, a crypto exchange, where the meme originated because in that case, the exchange can literally sign blockchain transactions for your wallet, because they share a key.
My problem is that as an unskilled person - will I be any better at securing my own system?
If the password journal my mom left at my house while visiting is any indication: absolutely not.
Use a password manager, remember a 2nd password for your email yourself, and then use a second factor for as many things as possible. USB keys are best, but anything is better than nothing: SMS, Authy, Google Authenticator, phone call, whatever. Chrome and Safari both have password managers these days, and some Chromebooks even have a builtin second factor. 2FA is still a hassle for sure, but it's getting better all the time.
People like to dunk on the password journal but I find it hard to believe that someone is going to break in to your mom's house as the way to access her bank or facebook account.
It's a horrible idea to leave the password for the database sitting next to the admin's workstation. But physical access is a vastly different concern for a corporation than an individual.
Threat surfaces are different for different people. I'd _love_ if my parents kept a separate password notebook instead of an unlocked note on their phone.
2FA is obviously good but different. But a notebook is an entirely offline password manager and it immediately lets people do one of the most important things which is not repeat passwords.
Yup. Writing passwords on paper, at home, is just about as secure as it gets.
Self hosted, on-prem, 2FA (something you have and somewhere you are). If your handwriting's bad enough you're almost pushing into some kind of biometric lock.
:)
The password journal is probably the safest providing the passwords themselves are strong. The likelihood of someone compromising your mom's passwords online are an order of magnitude greater than someone breaking into her house and copying her journal.
Unless she picked bad ones, or is prone to leaving it places, what exactly is the problem with the journal?
And my answer, as someone who doesn't work for a password company but is into this sort of thing, is "Yes, I believe one can be." -- or more precisely, "When you do it yourself, as opposed to a no-real-liability password company, you can get a better read on what the issues are."
Consider a classic "grandma" solution. A little notebook with good passwords kept in the purse or wallet. The issues here are more knowable than with LastPass or whatever.
> classic "grandma" solution
> with good passwords
Well, which is it?
In all seriousness though, the two main benefits of password managers are they only autofill on the correct domain and they’ll suggest actually good passwords.
No, but there are easy-to-use, reliable and secure solutions, such as Bitwarden.
I don't particularly see why Bitwarden would be any better at defending against this kind of attack, unless you're talking about self-hosting (and I would trust a hosted service more than a non-technical person self-hosting in this case).
And even if you run self-hosted, you're still needing to either audit every line of the web vault (and changes made each time it's updated), or the browser extensions or client applications.
Self hosting can help insulate you from a server side bulk compromise (with adequate security measures in place yourself which, as you say, not everyone will do), but it won't deal with the more pervasive software supply chain issues of compromised development environments etc.
I find the saying very trite, but it's self evidently true - the cloud is just someone else's computer.
:) :) :)
I literally have this posted on my office door at the university where I teach.
I wish they were more definitive as to if there was (or was not) any compromise of the source code repository credentials. Eg could the attacker have injected malware into the code as in the Solarwinds incident?
They would have to push an infected update to all the client-side apps, which is something that would be extremely obvious and would have been immediately announced by Lastpass
Update: another comment mentioned that the SolarWinds hack was a hijacked download, and companies did not catch on until much later. It seems like companies are not monitoring their releases as much as I'd hoped
I've switched to Bitwarden after the first of such incidents and never looked back. More incidents were just bound to happen to LastPass.
LastPass did very well! Here’s why: https://www.arnica.io/blog/a-first-look-at-lastpass-security...
Thanks for reminding me to delete my lastpass acount.
I switched over to a self hosted bitwarden, and not only is the user experience a lot better, I've got better security confidence since my password store never leaves my home network.
it's better in all ways including export and backup solutions
there might not be an impact straightaway, however gaining access to source code means that it's easier for hacker to find loophole is it not?
lastpass has to be ready for some sort of attacks I guess, it's good that they identified this early
Not really.
Take Wordpress as an example, the code is open source, yet the majority of loopholes come from plugins, not really the core.
But, we never know.
Didn't we decide to move off LastPasss 5 years ago?
Access to a dev account means they might have pushed out a malicious code update.
Huge huge potential loss here for people until they affirm this didn't happen.
I switched providers the last time this happened, or was it the one before that.
Not a good look for an online password storage service.
As someone else said.
Breaches can and will happen to anyone and we should assume they eventually will happen to everyone. What matters is how quickly you can detect the breach how limited the impact is. It's still too early to tell exactly whats happening here yet. That said, if this only impacted a development environment that contained no customer data then this is a good example of that principle.
hacked two weeks ago is what I am seeing. and they are still using words like "probably okay" wherever I look for answers. I havent had an email update from LP since the word salad notification they sent out yday that told me absolutely nothing but vagueries.
Same, when I have to change my password for a service I know it's time to leave. Also it's so expensive €2.90/month to basically store text files. Office 365 is €7/month and includes 1TB of storage.
yea at this point it is about how well it is handled, and transparency of the incident. Currently I am seeing support staff on LP reddit complain about customers attitudes. I am done. moving my partner off LP, I was out to Bitwarden some time back but didnt have a reason to force her into a change, til now.
Self-host with Bitwarden I guess?
Wouldn't have happened with Bitwarden ;)
More accurately, the source code is exposed all the time...
That's not a healthy assumption. Breaches can and will happen to anyone and we should assume they eventually will happen to everyone. What matters is how quickly you can detect the breach how limited the impact is. It's still too early to tell exactly whats happening here yet. That said, if this only impacted a development environment that contained no customer data then this is a good example of that principle.
I assume it was meant as a bit of a joke with a point, because of the nature of the breach. Here, the concern is that the development environment was breached, and source code and confidential technical details were accessed. Bitwarden is fully open source, both for the client and server, and they also offer docker images to self-host the server. Unlike Lastpass, an attacker gains nothing by stealing the code that the general public doesn't already have. Bitwarden developers argue that this 'source code transparency' is important for such a security system.
However, it is at the same time fair to say that there are possible breaches for Bitwarden as well that would involve stealing information, despite being open source. Their website, the securing of the process by which their downloads and updates are produced and distributed, the way the hosting for their web vault is secured...